SIM swapping
In today’s world passwords are the new exploits and relying on a password alone is asking to be a victim of hacking. Security conscientious people and organizations use an additional layer of authentication — Two-Factor Authentication (2FA) — a method of confirming a user’s claimed identity in which a user is granted access after presenting two or more pieces of authenticating evidence. The most common method of 2FA that I observed is SMS text-based codes. Nearly everyone has a phone that can send and receive text messages, so an SMS-2FA authentication is the fastest and easiest way for a user to confirm his or her identity .
However, this method is deeply flawed because of a new type of attack — SIM swapping. While this tactic has been around since at least 2014, it has gained steam recently because of the cryptocurrency bubble that has made SIM swapping attacks more lucrative.
SIM swapping involves “tricking” a mobile provider into moving the victim’s phone number to another SIM card that is controlled by the attacker.
In this type of scam, the fraudster typically obtains an individual’s banking details through phishing techniques or by purchasing them from organised crime networks. He or she then uses this information, including personal details sourced via social media, to pose as a victim to the mobile network operator and fool them into canceling and reactivating the victim’s mobile number to a new SIM that is in the fraudster’s possession. As a result, all calls and texts to the victim’s number are rerouted to the attacker’s phone, including one-time passwords for banking or cryptocurrency trading transactions.
For example, a 25-year old man in Florida was arrested this summer for leading a cyber gang of nine people that stole hundreds of thousands of dollars in virtual currencies from SIM swap victims. He was arrested after his Mom called the police and said she overheard her son talking on the phone and pretending to be an AT&T employee and found bags of SIM cards in his room. In August 2018, the authorities arrested a 19-year old man in Tracy, California who stole more than a million dollars in bitcoin via SIM swapping and rewarded himself with two luxury cars: an 2012 Audi R8 and a 2018 McLaren.
SIM swapping attacks are not limited to individuals only. The social media platform Reddit suffered a data breach after a hacker gained access to a database that contained personal details of users. Even though the database was protected by two-factor authentication, the hacker found his way in by hijacking authentication SMS messages sent to the accounts of cloud admins and source code hosting admins.
While SMS-2FA is imperfect, having it is better than not using 2FA at all. Raising the bar from keystroke logging to intercepting SMS is a big win. While SMS-2FA does not prevent account take-over entirely, it does make it more difficult for criminals. Account takeover is a business and when you make it expensive enough to get new accounts, attackers move on to other scams.
SIM Swapping is not the only way to defeat 2FA. There are other methods, for instance, Android phones are extremely vulnerable to mobile malware which can steal and read the passcodes on your phone.
In place of SMS for 2FA, I suggest using a hardware security token. These are not free, the cost could range from $18 to $50. Google and Facebook, among others, have been issuing such tokens to new employees along with their laptops. Thanks to the solid physical security key 2FA Google claims no employee account break-ins for one and a half years.
If you choose to rely on SMS, at a minimum I urge you to put a “lock” on your SIM by asking your mobile provider to create a special PIN for changes to the account. Here is how to do this:
